Headline News – Page 363 – AnonymousMedia.org

I am not a robot: ClickFix used to deploy StealC and Qilin

ClickFix is an increasingly common tactic used by threat actors to install malicious software on victims’ devices. It has gone through a number of evolutions but essentially relies on a victim following a series of instructions that masquerade as a human verification request. The actions result in the download of malware, typically an infostealer or remote access trojan (RAT).

Counter Threat Unit™ (CTU) researchers investigated Qilin ransomware deployment linked to a ClickFix campaign. The infection chain began when a user visited a legitimate but compromised domain and then followed prompts to inadvertently install NetSupport Manager. This victim’s account was later observed in malicious activity associated with Qilin deployment.

Attack chain

In this incident, the victim visited a website (aquafestonline[.]com) that contained an embedded malicious script. This script fetched a heavily obfuscated external JavaScript file (d.js) from islonline[.]org (see Figure 1).

Figure 1: Malicious JavaScript embedded into the compromised web page

This malicious script fingerprints the user’s operating system and browser type and creates a unique eight-character alphanumeric string. This string is used for tracking purposes and to limit attacks on the system to one per 24-hour period. The script also creates an invisible full-screen iframe overlay that loads a PHP file from hxxps://yungask[.]com/work/index.php?xxxxxxxx (see Figure 2).

Figure 2: Portion of the malicious d.js script that creates the iframe and loads a PHP file

The index.php file dynamically generates malicious content that displays the ClickFix page to the user (see Figure 3).

Figure 3: ClickFix verification page displayed to user

After the victim completes the fake verification process, a batch file containing NetSupport Manager Client files is downloaded from hxxps://2beinflow[.]com/head.php to the victim’s system (C:\ProgramData\jh.bat), where it is executed. The batch file retrieves a ZIP archive, saves it as C:\ProgramData\loy.zip, and then writes the extracted files into C:\ProgramData\Disy. The batch file then launches the NetSupport Manager Client application (client32.exe) and establishes persistence by creating a registry Run key. Although NetSupport Manager is a legitimate remote access tool, it is often referred to as NetSupport RAT due to its popularity with threat actors. CTU™ researchers observed the NetSupport RAT connecting to a command and control (C2) server at 94[.]158[.]245[.]13. As of this publication, this IP address is associated with a Windows Server 2012 operating system and exposes ports 3389 (RDP), 443 (HTTPS), and 5986 (WinRM) (see Figure 4).

Figure 4: NetSupport RAT C2 server with exposed ports 443, 3389, and 5986 (Source: shodan.io)

A ZIP archive was subsequently downloaded from this C2 server to the victim’s system (c://users/public/mir2.zip). This archive contained a copy of the legitimate Microsoft Media Foundation Protected Pipeline executable (mfpmp.exe), which sideloaded a malicious DLL file (rtworkq.dll) and resulted in a StealC V2 infostealer infection. The first version of StealC was launched in 2023 and sold on underground marketplaces until StealC V2 was released in March 2025. The updated version offered significant upgrades in terms of stealth and versatility.

Approximately one month after the StealC infection, Qilin ransom notes (README-RECOVER-ID-.txt) were dropped on the network. Analysis revealed that the threat actor used stolen credentials to access the network via a privileged account on a Fortinet VPN device. Two other user accounts from the attacker’s origin also established VPN tunnels. One of these accounts was associated with the victim of the initial ClickFix compromise.

CTU researchers assess with moderate confidence that an initial access broker obtained the credentials via StealC and sold them to a Qilin affiliate, or that a Qilin affiliate purchased the credentials from a marketplace such as Russian Market. Figure 5 shows the full infection chain for this campaign.

Figure 5: Full infection chain resulting in Qilin ransomware deployment

Recommendations

Qilin has been the most prevalent ransomware-as-a-service (RaaS) operation between January 2024 and December 17, 2025, listing 1,168 victims on its data leak site during that period. Operated by the financially motivated GOLD FEATHER threat group, the scheme uses the name-and-shame or double-extortion model, meaning that affiliates steal data to extort ransom in addition to encrypting files and systems.

CTU researchers recommend that organizations implement good cybersecurity hygiene to mitigate the threat from ransomware. These practices include patching vulnerable internet-facing devices and services in a timely manner, only exposing potentially vulnerable services such as RDP to the internet if there is a business need, and robustly implementing phishing-resistant multi-factor authentication (MFA) across the network. Endpoint detection and response (EDR) solutions are also essential for identifying and mitigating precursor ransomware activity.

Detections and threat indicators

SophosLabs has developed the following detections for this threat:

ATK/Shanya-B
Mal/NetSupRat-A

The threat indicators in Table 1 can be used to detect activity related to this threat.

Indicator	Type	Context
c://users/public/mir2.zip	File path	Location of StealC V2 package downloaded via NetSupport RAT
0c71102046bea598d2369d2fca664472	MD5 hash	ZIP archive containing NetSupport RAT (Loy.zip) used to download StealC
b5a445a18258f37edc5c8ee57bc77d4b75d9b7dd	SHA1 hash	ZIP archive containing NetSupport RAT (Loy.zip) used to download StealC
2e0ea138be2d206305a6583730a20754786de71a18e64e8e24c4f771d2438855	SHA256 hash	ZIP archive containing NetSupport RAT (Loy.zip) used to download StealC
ee75b57b9300aab96530503bfae8a2f2	MD5 hash	NetSupport RAT (client32.exe) used to download StealC
98dd757e1c1fa8b5605bda892aa0b82ebefa1f07	SHA1 hash	NetSupport RAT (client32.exe) used to download StealC
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268	SHA256 hash	NetSupport RAT (client32.exe) used to download StealC
e02a63b8b70a83a0639c7b18f6b3742c	MD5 hash	StealC V2 package (mir2.zip) downloaded via NetSupport RAT
d098222025c2e4ffa04bd1045a1e4ac081a616dd	SHA1 hash	StealC V2 package (mir2.zip) downloaded via NetSupport RAT
369c18819a35e965c83cdeab07f92eecf69a401030dd8021cb118c9c76176f31	SHA256 hash	StealC V2 package (mir2.zip) downloaded via NetSupport RAT
13fe3c1072ce308192994f2d7b329f7c8cbb192d49bdb538872383192d133ebb	SHA256 hash	Malicious DLL (rtworkq.dll) sideloaded to run StealC

Table 1: Indicators for this threat

Source link

12/19/2025

The right-wing group rallying youth in South Korea

Jake KwonSeoul correspondent

BBC/Hosu Lee

Many among South Korea’s anti-government youth protesters are taking cues from the American right’s Maga movement

The line for a selfie with South Korea’s disgraced former President Yoon Suk Yeol stretched around Seoul’s iconic Gwanghwamun gate.

Except Yoon wasn’t there; it was just a picture of him.

The real Yoon is in prison facing insurrection charges. But that didn’t matter to the thousands of excited young men and women who had joined the rally organised by right-wing youth group Freedom University.

Spearheaded by 24-year-old student Park Joon-young, Freedom University opposes what it sees as a status quo of corrupt, left-wing South Korean governments promising much but delivering little, especially for the nation’s youth.

And in Yoon, they have found an unlikely hero.

On the night of 3 December last year, Yoon, whose party had lost its majority in parliament, launched a desperate bid to reverse his fortunes by declaring martial law.

He ordered troops into the parliament and the national election commission, claiming, without offering any evidence, that the country was under threat from North Korean sympathisers and Chinese spies who were conspiring to steal elections.

Yoon’s move was defeated within hours, as furious South Koreans rallied. Thousands of citizens blocked the soldiers, and lawmakers made it inside the National Assembly – some even scaling the walls – to vote down the order.

Yoon was impeached soon after and is now on trial, facing the possibility of life in prison. The saga was considered his political death. But to some, it has also made him a martyr.

BBC/Hosu Lee

Former president Yoon Suk Yeol has become a symbol of anti-government defiance for South Korea’s younger generations

While he was never a popular president, and was especially unpopular among young South Koreans, Yoon has since his imprisonment become a symbol of rebellion for young people who have increasingly been feeling left behind.

“When Yoon was elected, I think it wasn’t so much that we were happy to see a right-wing candidate win. It was more that a left-wing candidate lost,” Mr Park told the BBC.

“Not many among the young people who are with us thought Yoon was doing well or that they liked Yoon when he was in power.”

But, he says, while declaring martial law, Yoon had called out the Democratic Party for “abusing its power, passing absurd bills and cutting budget for youth policy”.

“We saw that and now we are with him.”

‘Make Korea great again’

Hyung Ki-sang, a 28-year-old who has been attending pro-Yoon rallies since the martial law declaration, told the BBC that he has been feeling for years that no political party cared about him. After watching Yoon’s claim of rigged elections – as well as many YouTube videos purporting to show evidence – he joined his first pro-Yoon rally.

That was also organised by Freedom University.

The group mobilised in universities across the country last year to oppose Yoon’s impeachment, and has grown quickly, drawing thousands of attendees to their rallies with aggressive social media campaigns.

Freedom University’s founding philosophies are displayed prominently on banners and picket signs at its rallies: “Korea for Koreans,” “Chinese Communist Party out!”

Many are also inspired by the American right’s Maga movement. “Make Korea Great Again” one sign read, while another said “We are Charlie Kirk” – a reference to the young Maga influencer who was assassinated in September.

And while the latest polling shows that only around 27% of the Korean public actually agree with their views on Yoon, their rise represents a deeper polarisation that is taking hold in South Korea.

The growth of a movement

Like many of Freedom University’s supporters, Mr Park says he first turned to the right by rebelling against what he saw as the prevailing influence of the left.

His father was the chief of a TV network that is often considered left-leaning, while his mother was an aide to left-wing former president Moon Jae-in. His mother and sister are outspoken feminists who had tried to “inject him” with their ideology, he told the BBC.

Mr Park says he began to question his family’s politics in the #MeToo era, and was soon exposed to right-wing views online.

For him, the American right is an inspiration.

BBC/Hosu Lee

Park Joon-young, 24, is the leader of the Freedom University movement

“I was often called extreme right and it is very easy to get cancelled in Korea. But in the US, it’s not like that. Charlie Kirk and Maga confidently delivered their message and spoke up,” he says. “We are trying to build the same type of platform where people can debate without fear.”

He has rejected allegations that he and his movement are “far right”.

He told the BBC that the most effective message for his group is the simplest one: “Korea is for Koreans.”

This is accompanied by a series of claims against Chinese immigrants – the most popular of which are unproven and disputed allegations of them stuffing ballots and attacking Koreans. The government has strongly refuted these.

The group also portrays President Lee Jae Myung’s efforts to thaw ties between Seoul and Beijing as proof that the current government is subservient to China.

Mr Park says he mostly uses social media platforms popular with young people to spread his message. He started with EveryTime, a Korean online forum exclusive to university students, but has since moved his focus to making short-form videos which have gone viral on Instagram, Threads, and YouTube.

The group then gained notoriety in September when it marched through Seoul’s Myeongdong neighbourhood, which is frequented by Chinese tourists and home to the Chinese embassy.

Their videos, where protesters chant anti-Chinese slurs, have gone viral enough that Lee has declared that disinformation and hate speech has reached a dangerous level, and directed his government to criminalise them.

But Freedom University’s message has proved effective in a country where Sinophobia is widespread and the population regularly ranks as one of the world’s least favourable towards China.

It has also resonated deeply with Korean youth, many of whom are disenchanted with the state of the economy and their future prospects.

Disenchanted youth

The latest national survey suggests young South Koreans are the most pessimistic about their country’s future.

Nearly 75% of them believe the economy is in poor shape, compared to their parents. Around 50% of that generation hold a positive view of the economy.

The country’s economy has grown only 1 to 2% since the pandemic – and with Trump’s trade war and growing Chinese competition, young South Koreans are feeling the squeeze.

Home ownership rates for younger generations are at an all-time low. And despite South Korea’s education level being one of the highest in the world, the median monthly income sits around $1,600 per month.

Youth psychiatrist and author Kim Hyun Soo says many of these youths hold a deep grudge against Lee’s Democratic Party, which has dominated politics for the past decade yet failed to deliver on its economic promises.

“[Lee’s party] had completely failed its housing policy,” Mr Kim says. “Their largest grievances are really the lack of housing and employment.”

The economic pinch, mixed with thriving reactionary online culture and tense gender dynamics, creates a fertile soil for groups like Park’s to recruit from.

They are also the least critical of Yoon’s martial law move – only half of those under 30 believe he is guilty of insurrection.

“The policies put forth by this government, they are absurd. They are not good for the youth. It’s so natural that the youth are speaking up now,” said 26-year-old Bae Jang-won, who spoke to the BBC at one of Freedom University’s rallies.

BBC/Hosu Lee

Young people in South Korea are becoming increasingly angry about the state of the nation’s economy

The psychiatrist, Mr Kim, says it is “imperative” that the youth are offered “new visions” to avoid deeper polarisation in the country: “We must show them that there’s hope.”

And in the absence of that, he warns that the youth will increasingly turn to movements like Freedom University.

Back at the rally, Kim Ji-min, 24, held up the “Korea for Koreans” sign next to his girlfriend, who waved a Korean flag. He said he joined the demonstration out of frustration that his country was going down the wrong path – his first time attending any kind of political event.

“I was nervous and scared at first. But it feels nice after seeing many other young and like-minded people,” he said.

Next to him, a girl, barely a teenager, picked up a sign that read “Never Surrender”.

Source link

12/19/2025
US carries out ‘massive’ strike against IS in Syria

The US says its military has carried out a “massive strike” against the Islamic State group (IS) in Syria, in response to a deadly attack on American forces in the country.

Defence Secretary Pete Hegseth said Operation Hawkeye Strike was aimed at eliminating IS “fighters, infrastructure, and weapons sites”.

Fighter jets, attack helicopters and artillery hit multiple targets in central Syria, US officials told CBS, the BBC’s media partner in the US. Aircraft from Jordan were also involved.

President Donald Trump later said “we are striking very strongly” against IS strongholds, after the 13 December IS ambush in the city of Palmyra in which two US soldiers and a US civilian interpreter were killed.

In a post on X late on Friday, Hegseth wrote: “This is not the beginning of a war – it is a declaration of vengeance. The United States of America, under President Trump’s leadership, will never hesitate and never relent to defend our people.

“If you target Americans – anywhere in the world – you will spend the rest of your brief, anxious life knowing the United States will hunt you, find you, and ruthlessly kill you.

“Today, we hunted and we killed our enemies. Lots of them. And we will continue,” the US defence secretary added.

Meanwhile, the US Central Command (Centcom) said that “US forces have commenced a large-scale strike” against IS, adding that more information would be provided soon.

Posting on Truth Social later on, President Trump said the US “is inflicting very serious retaliation, just as I promised, on the murderous terrorists responsible”.

He said the Syrian government was “fully in support”.

Meanwhile, the UK-based Syrian Observatory for Human Rights (OBHR) said IS positions near the cities of Raqqa and Deir ez Zor were targeted.

It said that a prominent IS leader and a number of fighters were killed.

IS has not publicly commented. The BBC was unable to verify the targets immediately.

Centcom, which directs American military operations in Europe, Africa and the Indo-Pacific, earlier said that the deadly attack in Palmyra was carried out by an IS gunman, who was “engaged and killed”.

Another three US soldiers were injured in the ambush, with a Pentagon official saying that it happened “in an area where the Syrian president does not have control.”

At the same time, the SOHR said the attacker was a member of the Syrian security forces.

No group has claimed responsibility for the attack, and the identity of the gunman has not been released.

In 2019, a US-backed alliance of Syrian fighters announced IS had lost the last pocket of territory in Syria it controlled, but since then the jihadist group has carried out some attacks.

The United Nations says the group still has between 5,000 and 7,000 fighters in Syria and Iraq.

US troops have maintained a presence in Syria since 2015 to help train other forces as part of a campaign against IS.

Source link

12/19/2025